{
  config,
  lib,
  ...
}:
let
  inherit (lib) mkIf;
  cfg = config.services.adguardhome;
in
{
  config = {
    networking.firewall.allowedUDPPorts = mkIf cfg.openFirewall [ cfg.settings.dns.port ];

    services.adguardhome = {
      enable = true;
      port = 3000;
      openFirewall = true;
      settings = {
        http = {
          address = "0.0.0.0:${toString cfg.port}";
        };
        auth_attempts = 5;
        block_auth_min = 10;
        dns = {
          bind_hosts = [ "0.0.0.0" ];
          port = 53;
          upstream_mode = "load_balance";
          upstream_dns_file = config.age.secrets.adguard-dns-list.path;
          fallback_dns = [ "9.9.9.9" ];
        };
        filtering = {
          filtering_enabled = true;
        };
        clients = {
          persistent = map (val: val // { use_global_settings = true; }) [
            {
              ids = [
                "100.64.0.1"
                "192.168.178.20"
              ];
              name = "brontes";
              tags = [ "device_pc" ];
            }
            {
              ids = [
                "100.64.0.2"
                "192.168.178.53"
              ];
              name = "oneplus9";
              tags = [ "device_phone" ];
            }
            {
              ids = [ "100.64.0.5" ];
              name = "marr";
              tags = [ "device_laptop" ];
            }
            {
              ids = [ "100.64.0.4" ];
              name = "shan";
              tags = [ "device_pc" ];
            }
          ];
        };
      };
    };
  };
}